On average, it takes more than three days for organizations to discover and delete phishing emails that pass security defenses and enter employee inboxes.
There are many factors contributing to the delay, including lack of investigative tools, security resources, and employee awareness.
Barracuda Network recently analyzed data collected from approximately 3,500 organizations to better understand what happens when phishing emails finally reach users’ systems. Analysis shows that an average organization with approximately 1,100 employees experiences approximately 15 incidents of phishing emails passing through its malware and email filtering tools every month. In these incidents, an average of 10 employees were affected.
Mike Flouton, vice president of products at Barracuda, said that attacks that can pass enterprise defenses are usually highly targeted and focused on a small number of selected users within the organization.
“So, it’s not that 10 users received the email and the others didn’t receive it because it was blocked, but the attacker targeted 10 users in the first place,” Flouton said.
He said that email security tools have often become very effective in preventing large-scale attacks. Conversely, social engineering attacks of a much smaller scale are usually passed.
Phishing is still one of the main attack vectors for threat actors to find the initial entry point to the corporate network. In recent years, malware hidden in email attachments or on sites that users are directed to after clicking an email phishing link has caused more harm than almost any other attack vector. Verizon’s “2021 Data Breach Investigation Report” (DBIR) shows that of the 5,250 data breaches it investigated last year, about 36% were due to phishing. This number marks a significant jump from last year’s 25%-mainly due to the increase in phishing activities involving COVD-19-related decoys since the beginning of the pandemic.
Verizon stated in its report: “Phishing uses quarantine to increase its frequency, reaching 36% of violations.”
Barracuda’s research found that 3% of employees who received phishing emails tended to be recruited by clicking on malicious attachments or clicking on links to websites with malicious software. Typically, such users will click on the malicious link within 16 minutes of receiving the malicious email.
At the same time, it takes an average of 83 hours or nearly three and a half days for the IT team to discover that malicious emails have entered users’ email inboxes. In most cases (nearly 68%), the security team discovered malicious emails through insider threat hunting exercises, including searching mail logs or performing keyword and sender searches on sent emails. The frequency with which security teams conduct these searches often varies based on the organization’s resources. Flouton says that ideally, it needs to happen every day.
User training is the key
Factors that affect the organization’s ability to detect malicious emails faster include the lack of appropriate tools, time, resources, and employee awareness. Barracuda found that when employees report phishing incidents (24% of all incidents), the accuracy of these reports is usually low, causing the IT security team’s work to be wasted.
Appropriate training of employees to recognize and report phishing emails can reduce overall response time. Barracuda said that, in fact, with only two user awareness training programs, the accuracy of user-reported incidents can be improved by 73%.
“A good formula for a safety awareness training program is simulation, analysis, and education,” Flouton said.
It is best for security teams to simulate the various types of real threats that their organization may encounter. For example, users are often tricked into interacting with phishing simulations, such as Office 365 service simulations and commercial email intrusions.
“By exposing them to these types of attacks and following up the corresponding training materials [such as] Video, cue sheet, [and] Games, on a consistent basis, users will be more likely to identify social engineering attacks and report them to their IT team,” Flouton said.
Barracuda said that other steps organizations can take to quickly identify and eliminate phishing emails in the environment include proactive threat hunting, automation, and tighter integration between incident response and email and web security teams.
Jai Vijayan is an experienced technical journalist with more than 20 years of experience in the IT trade news field. He recently served as the senior editor of Computerworld, responsible for the information security and data privacy issues of the publication.In the course of his 20 years… view the complete bio